X-Git-Url: http://ftp.carnet.hr/carnet-debian/scm?p=apache2-cn.git;a=blobdiff_plain;f=carnet-generate-ssl;fp=carnet-generate-ssl;h=9a17f02e498935db534698a4693474c0350aa12c;hp=7f618ba3d4be9e7924a9dd8bc3cfc3a522b979bf;hb=c8e3c3944b2a9418f1af2fc90451cb0fe5e15bd2;hpb=b4be4d9887f5100a7441aeb57f3bdfd3d0788e15 diff --git a/carnet-generate-ssl b/carnet-generate-ssl index 7f618ba..9a17f02 100755 --- a/carnet-generate-ssl +++ b/carnet-generate-ssl @@ -20,8 +20,9 @@ FQDN="$2" WEBMASTER="$3" DOMAIN="$4" -sslcrt=/etc/ssl/certs -sslkey=/etc/ssl/private +SSLDIR=/etc/ssl +SSLCRTDIR=${SSLDIR}/certs +SSLKEYDIR=${SSLDIR}/private A2CNDIR=$(dirname $0) KEYS= @@ -38,23 +39,23 @@ trap "rm -f $TMPFILE $TMPFILE2" 1 2 15; export RANDFILE=/dev/urandom -cd /etc/ssl +cd ${SSLDIR} # Generate CA # -if [ ! -f ${sslkey}/apache2-ca.key ]; then +if [ ! -f ${SSLKEYDIR}/apache2-ca.key ]; then - (umask 077; openssl genrsa -out ${sslkey}/apache2-ca.key 1024) + (umask 077; openssl genrsa -out ${SSLKEYDIR}/apache2-ca.key 2048) KEYS="${KEYS} - - ${sslkey}/apache2-ca.key" + - ${SSLKEYDIR}/apache2-ca.key" fi -if [ ! -f ${sslkey}/apache2-ca.csr ] || [ -n "$KEYS" ]; then +if [ ! -f ${SSLKEYDIR}/apache2-ca.csr ] || [ -n "$KEYS" ]; then cat < $TMPFILE [ req ] -default_bits = 1024 +default_bits = 2048 default_keyfile = apache2-ca.pem distinguished_name = req_distinguished_name attributes = req_attributes @@ -70,10 +71,10 @@ emailAddress = $WEBMASTER EOF - openssl req -config $TMPFILE -new -key ${sslkey}/apache2-ca.key -out ${sslkey}/apache2-ca.csr + openssl req -config $TMPFILE -new -key ${SSLKEYDIR}/apache2-ca.key -out ${SSLKEYDIR}/apache2-ca.csr fi -if [ ! -f ${sslcrt}/apache2-ca.pem ] || [ -n "$KEYS" ]; then +if [ ! -f ${SSLCRTDIR}/apache2-ca.pem ] || [ -n "$KEYS" ]; then cat >$TMPFILE < "$TMPFILE2" sed "s/HOST/$FQDN/g; s/DOMAIN/$DOMAIN/g; s/WEBMASTER/$WEBMASTER/g" \ < $A2CNDIR/templates/openssl.cnf > "$TMPFILE" openssl req -config "$TMPFILE" -new -nodes \ - -key ${sslkey}/apache2.key -out ${sslkey}/apache2.csr + -key ${SSLKEYDIR}/apache2.key -out ${SSLKEYDIR}/apache2.csr openssl x509 -extfile "$TMPFILE" -days 3650 \ - -CAserial "$TMPFILE2" -CA ${sslcrt}/apache2-ca.pem -CAkey ${sslkey}/apache2-ca.key \ - -in ${sslkey}/apache2.csr -req -out ${sslcrt}/apache2.pem + -CAserial "$TMPFILE2" -CA ${SSLCRTDIR}/apache2-ca.pem -CAkey ${SSLKEYDIR}/apache2-ca.key \ + -in ${SSLKEYDIR}/apache2.csr -req -out ${SSLCRTDIR}/apache2.pem -mod1=`openssl x509 -noout -modulus -in ${sslcrt}/apache2.pem` -mod2=`openssl rsa -noout -modulus -in ${sslkey}/apache2.key` +mod1=`openssl x509 -noout -modulus -in ${SSLCRTDIR}/apache2.pem` +mod2=`openssl rsa -noout -modulus -in ${SSLKEYDIR}/apache2.key` if [ "$mod1" != "$mod2" ]; then echo "Moduli for server keys don't match." @@ -126,17 +127,17 @@ if [ "$mod1" != "$mod2" ]; then fi KEYS="${KEYS} - - ${sslcrt}/apache2.pem" + - ${SSLCRTDIR}/apache2.pem" KEYS="${KEYS} - - ${sslkey}/apache2.key" + - ${SSLKEYDIR}/apache2.key" -cd ${sslcrt} +cd ${SSLCRTDIR} ln -sf apache2.pem $(openssl x509 -hash -noout -in apache2.pem) # Fix file access permissions. # -chmod 600 ${sslkey}/apache2-ca.key ${sslkey}/apache2.key +chmod 600 ${SSLKEYDIR}/apache2-ca.key ${SSLKEYDIR}/apache2.key # Cleanup